<%@ page language="java"%>
<%@ page import="java.sql.*"%>
<%@ page import="java.util.*"%>
<%@ page import="java.io.*"%>
<html>
<head><title>Change Screen</title>
</head>
<body>
<center>
<%
	class XSSchecker
	{
		public String sanitize(String string) 
		{
			string.replaceAll("(?i)<script.*?>.*?</script.*?>", "");   	
			string.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); 
			string.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", "");
			return string;
		}
	};

       try
       {
		XSSchecker checker = new XSSchecker();

		if(session.getAttribute("logged_in") == "true")
		{				
			out.println("<p><h2>Logged In</p><h2>");
			
			if(session.getAttribute("user_level") == "administrator")
			{
				if(checker.sanitize(request.getParameter("presentation_id")) == "" || checker.sanitize(request.getParameter("screen_id")) == "")
				{
					out.println("You must fill in both the screen id and the presentation id<br>");
				}
				else
				{
					out.println("<br>You selected presentation id: " + checker.sanitize(request.getParameter("presentation_id")) + "<br>");
					out.println("<br>You selected screen id: " + checker.sanitize(request.getParameter("screen_id")) + "<br>");	

//the presentation can only be added when:
//the presentation exists and
//the screen exists


					String DRIVER = "com.mysql.jdbc.Driver";
					Class.forName(DRIVER);		

					Connection con=null;
					ResultSet rst=null;
					PreparedStatement stmt=null;

					String url="jdbc:mysql://ecstiger.cs.andrews.edu/d562_2010_01?user=u562_2010_01&password=YPJ8f4We";
					con=DriverManager.getConnection(url);

					stmt = con.prepareStatement("SELECT * FROM screen, presentation WHERE screen.id= ? AND presentation.id= ? ;");
					stmt.setString(1, checker.sanitize(request.getParameter("screen_id"))); 
					stmt.setString(2, checker.sanitize(request.getParameter("presentation_id"))); 
					rst = stmt.executeQuery();
		
					if(rst.next())
					{
						stmt = con.prepareStatement("SELECT * FROM `screen_presentations` WHERE screen_id= ? AND presentation_id= ? ;");
						stmt.setString(1, checker.sanitize(request.getParameter("screen_id"))); 
						stmt.setString(2, checker.sanitize(request.getParameter("presentation_id"))); 
						rst = stmt.executeQuery();
		
						if(!rst.next())
						{
							stmt = con.prepareStatement("INSERT INTO `d562_2010_01`.`screen_presentations` (`id`, `screen_id`, `presentation_id`) VALUES ( NULL , ? , ? );");
							stmt.setString(1, checker.sanitize(request.getParameter("screen_id"))); 	
							stmt.setString(2, checker.sanitize(request.getParameter("presentation_id"))); 				
							int Result = stmt.executeUpdate();
	
							if(Result==1)	
							{
								out.println("<br>Add Succesful<br>");
							}
							else
							{
								out.println("<br>Add Unsuccesful<br>");
							}
						}
						else
						{
							out.println("This presentation is already on that screen, and it cannot be added twice.<br>");
						}
					}
					else
					{
						out.println("The presentation or the screen do not exist.<br>");	

					}
					stmt.close();
					rst.close();
					con.close();
				}
			}
			else
			{
//the presentation can only be added when:
//the presentation exists and the screen exists
//the user has access to that screen
//the screen does not already have that presentation

				if(checker.sanitize(request.getParameter("presentation_id")) == "" || checker.sanitize(request.getParameter("screen_id")) == "")
				{
					out.println("You must fill in both the screen id and the presentation id<br>");
				}
				else
				{
					out.println("<br>You selected presentation id: " + checker.sanitize(request.getParameter("presentation_id")) + "<br>");
					out.println("<br>You selected screen id: " + checker.sanitize(request.getParameter("screen_id")) + "<br>");

					String DRIVER = "com.mysql.jdbc.Driver";
					Class.forName(DRIVER);

					Connection con=null;
					ResultSet rst=null;
					PreparedStatement stmt=null;

					String url="jdbc:mysql://ecstiger.cs.andrews.edu/d562_2010_01?user=u562_2010_01&password=YPJ8f4We";
					con=DriverManager.getConnection(url);

					stmt = con.prepareStatement("SELECT * FROM screen_owners WHERE screen_id= ? AND user_id= ? ;");
					stmt.setString(1, checker.sanitize(request.getParameter("screen_id"))); 	
					stmt.setString(2, (String)session.getAttribute("id")); 				
					rst = stmt.executeQuery();
		
					if(!rst.next())
					{
						stmt = con.prepareStatement("SELECT * FROM screen, presentation WHERE screen.id= ? AND presentation.id= ? ;");
						stmt.setString(1, checker.sanitize(request.getParameter("screen_id"))); 	
						stmt.setString(2, checker.sanitize(request.getParameter("presentation_id"))); 				
						rst = stmt.executeQuery();

						if(!rst.next())
						{	

							stmt = con.prepareStatement("SELECT * FROM `screen_presentations` WHERE screen_id= ? AND presentation_id= ? ;");
							stmt.setString(1, checker.sanitize(request.getParameter("screen_id"))); 
							stmt.setString(2, checker.sanitize(request.getParameter("presentation_id"))); 
							rst = stmt.executeQuery();
		
							if(!rst.next())
							{
								stmt = con.prepareStatement("INSERT INTO `d562_2010_01`.`screen_presentations` (`id`, `screen_id`, `presentation_id`) VALUES ( NULL , ? ,  ? );");
								stmt.setString(1, checker.sanitize(request.getParameter("screen_id"))); 	
								stmt.setString(2, checker.sanitize(request.getParameter("presentation_id"))); 			
								int Result = stmt.executeUpdate();
				
								if(Result==1)
								{
									out.println("<br>Add Succesful<br>");
								}
								else
								{
									out.println("<br>Add Unsuccesful<br>");
								}
							}
							else
							{
								out.println("This presentation is already on that screen, and it cannot be added twice.<br>");
							}
							
						}
						else
						{
							out.println("The presentation or the screen do not exist.<br>");
						}
					}
					else
					{
						out.println("You dont have access to that screen<br>");
					}
					stmt.close();
					con.close();
					rst.close();
				}
			}
		}
		else
		{
			out.println("Not Logged In");
		}
       }
       catch(Exception e)
       {
           out.println(e);
       }	
%>
<a href="menu.jsp">Main Menu</a>
</center>
</body>
</table>
</center>
</div>


</body>
</html>
